The types of threat I predict will be prevalent in 2012 are not new. As technology advances and more people take advantage of it, the opportunities for criminal attacks and accidental data loss will increase, while social engineering and hack attacks will become more sophisticated.
1. Mobile devices
Mobile devices, personally-owned or company provided, are a potential route for malware infection and are easy to lose. They are open to hacking attacks and malware; and when using them, it is easy to lose track of what is and is not part of the company network. They could therefore become repositories of sensitive data while being outside the support and control of the IT department.
Educating the user and enforcing security policies are the best methods of protection against errors and abuse: strong passwords, remote tracking and auto locking / data removal in the event of loss are vital. Mobile devices, personally or company-owned, are best used for accessing the corporate network (via appropriate secure links) rather than as repositories of stored information.
2. Social media
Using social media and professional networks could lead to the over-sharing of private information which could be an invitation to targeted social engineering attacks. Social media also provides an effective way to deliver malware such as Trojans via infected links.
Employees have been sacked after commenting on their jobs or colleagues: an inappropriate message posted or emailed in haste can spread at lightning speed, especially if it involves a well-known brand or organisation and gives a mischief-maker the opportunity to cause damage.
Social media usage, both in and out of the work place, will continue to increase in 2012 as more businesses exploit their potential for marketing and other uses. Good security policies must emphasise the difference between personal and work Facebook accounts and their appropriate use.
Hackers attack, deface and disable websites and plunder databases for personal information. ‘Hacktivists’ make what they perceive to be ethical hacking attacks on governments and organisations as a form of political or social activism.
Methods used include social engineering and spear phishing attacks, which increasingly feature refined grammar, more sophisticated language, and cleverly disguised messages; and mass-emailed spam to overwhelm an organisation’s servers. Organisations and high profile events like the London 2012 Olympics could be the target of hackers.
The best defences are physical and behavioural. Physical examples include security patches, spam filters, anti-virus and firewalls, and strong passwords. Behavioural include not clicking on dubious links and attachments and ignoring suspicious social engineering approaches by email, phone or social networks.
4. Cyber threats
Malware used for cyber-espionage attacks (e.g. Stuxnet and Duqu) against government organisations and large companies will become increasingly sophisticated in 2012. Also simpler data stealing malware, spread by social engineering attacks, known as Advanced Persistent Threats (APTs), against targets worldwide continue to increase. As people still represent the weakest link in security, the best defence against APTs is effective training; and the use of aggressive protection technologies in the workplace.
5. Data breaches and losses
The accidental loss of USBs and other storage and mobile devices or the mishandling of sensitive data and hard copy documents will continue to be a significant cause of data breaches in 2012. Poor password procedure and lax online security practices can open the door to malware infection and network downtime for organisations.
The old lessons in basic security remain valid. In the workplace, at home and on the mobile devices used in between; have strong anti-virus and anti-spam software in place, use strong passwords and type in URLs rather than clicking on links. Keep the duplication and proliferation of sensitive material to a minimum and never become complacent if accessing and working with it away from the security of the workplace.